How can I force a remote office NOT on my domain to use a specific domain controller (or site) when authenticating to said domain?
A quick rundown of our environment first...
I work at the corporate office of a medium sized international corporation. We have roughly 50 remote offices that all have permanent VPN tunnels to corporate... a big star if you will. 15 of those offices have a domain controller and their workstations are members of the corporate 2003 domain and so we have 16 sites total. The others either have workgroups or have their own untrusted domain. Typically remote offices CANNOT route to one another but can only get to the corporate 'hub'.
The Problem: One of these offices that has their own domain (untrusted) needs to access corporate resources which require authentication to the corporate domain. They have a secondary DNS zone for the corporate domain so they can ping corporate resources by name. The problem is that in my experience when you ping a fully qualified domain name you can get a response from any DC in your site. If you are like this remote office and outside the domain and therefor not in a site... you can get a response from ANY domain controller in the entire forest. Well they only have network access to those DCs located at the corporate office but often when they try to ping or authenticate to our domain, they are asking domain controllers at other remote offices and therefor get no response. Is it possible to force a remote office when pinging or authenticating to the corporate domain to ONLY ask domain controllers in the corporate site? Or even just one specific domain controller at corporate?
I imagine if this could be done it would have to be done in DNS but I cannot figure out how it is possible.
Thanks in advance for any help!!
-Mike
I work at the corporate office of a medium sized international corporation. We have roughly 50 remote offices that all have permanent VPN tunnels to corporate... a big star if you will. 15 of those offices have a domain controller and their workstations are members of the corporate 2003 domain and so we have 16 sites total. The others either have workgroups or have their own untrusted domain. Typically remote offices CANNOT route to one another but can only get to the corporate 'hub'.
The Problem: One of these offices that has their own domain (untrusted) needs to access corporate resources which require authentication to the corporate domain. They have a secondary DNS zone for the corporate domain so they can ping corporate resources by name. The problem is that in my experience when you ping a fully qualified domain name you can get a response from any DC in your site. If you are like this remote office and outside the domain and therefor not in a site... you can get a response from ANY domain controller in the entire forest. Well they only have network access to those DCs located at the corporate office but often when they try to ping or authenticate to our domain, they are asking domain controllers at other remote offices and therefor get no response. Is it possible to force a remote office when pinging or authenticating to the corporate domain to ONLY ask domain controllers in the corporate site? Or even just one specific domain controller at corporate?
I imagine if this could be done it would have to be done in DNS but I cannot figure out how it is possible.
Thanks in advance for any help!!
-Mike
My end-user experience shows that domain of last logged in admin is kept, and my IT experience tells should be in HKLM registry.
Happy googling...
Happy googling...
Oh, BTW you should also create a site, subnet, and site link in AD Sites and Services for every site that has to authenticate to domain resources even if there is no domain controller at the site.
ASKER
Thanks that put me on the right track. We do have the sites set up correctly but the problem is I think something in the application. I was assuming the remote application needed to be able to access active directory directly but really it is only trying to access a SQL server in the corporate site and then THAT server does the communicating with active directory.
That is correct - Glad I could help get you on the right track.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
no additional comment
http://msdn.microsoft.com/en-us/library/aa378749(VS.85).aspx
You should setup site links in active directory. This is how AD knows who can talk to who and how fast the link is between sites. In your scenario DO NOT create a site link bridge as all the subnets cannot talk to each other. Make sure only sites that can talk to each other are members of each site link.
This is often an issue in star network designs as when you create a site in AD it forces you to add it to a site link. Since you don't usually have all your site links setup when creating sites everything gets added to the default site link which makes AD think everyone can talk to each other.